[Prakhar and Gunjan are students at Rajiv Gandhi National University of Law.]
In recent years, a number of governments across the globe have expressed concern regarding the proliferation of encryption, which impedes potential intelligence gathering and law enforcement investigations. In the midst of this the government recently enacted the Telecommunications Act 2023 (Act), which seeks to modernize the nation's telecommunications infrastructure in preparation for the era of 5G, internet of things, and industry 4.0. The recently enacted legislation confers broad authority on the government to intercept and decrypt messages, while simultaneously stripping the Telecom Regulatory Authority of India (TRAI) of its jurisdiction. It is abundantly evident that the Act violates constitutionally protected fundamental rights. Given that India is the second largest market for telecommunications products worldwide, the country should implement more stringent regulations.
This article provides a detailed analysis of how the expansion of government authority can infringe upon the fundamental rights of its citizens. Furthermore, this article examines the notion that decrypting messages results in breaches of privacy on a global scale as well as within national borders. Moreover, this article raises the question of how the government can implement novel approaches to guarantee transparency throughout the entire process, as well as examines how governments worldwide balance the protection of privacy with the preservation of national security. In conclusion, this article proposes strategies for striking a balance between national security and privacy concerns, as well as a path forward for developing a more effective procedure for the retrieval of encrypted user data in India.
Comparing National Security and Privacy
A continuous dispute has existed between the government and other messaging platforms (here) concerning Section 69A of the Information Technology Act 2000 (IT Act). According to Section 69A of the IT Act, the government is authorised to block access to information and contain provisions regarding the interception and decryption of messages. However, with the implementation of the Act, the government assumes authority over the decryption process, as specified in Section 20 of the Act, which grants broad powers to intercept messages in the name of a "public emergency". Section 2(g) of the Act provides a definition of messages, which encompass both textual and visual content, that are transmitted via telecommunications. Section 20(1)(a) of the Act states that the government may issue an order mandating the provision of telecommunication messages in a "intelligible format." This means that messages encrypted by private parties, such as WhatsApp and other platforms, will be decrypted.
The Act does not provide a specific definition for the term "public emergency". However, in the case of Hukum Chand Shyam Lal v. Union of India, the court provided a clarification on the meaning of "public emergency". It was determined to pertain to circumstances specified in the subsection concerning the "sovereignty and integrity of India", the security of the state, amicable relations with foreign states, maintenance of public order, or prevention of incitement to commit an offence. Despite efforts by the courts to refine the definition, there remains a possibility that it could be exploited adversely, particularly in cases where the government retains all governing authority. According to the ruling in KS Puttuswamy v. Union of India, privacy is a constitutionally protected fundamental right under Article 21. Permitting message decryption and surveillance will place the privacy of the populace in the control of a limited number of officials.
An International Outlook
In countries such as Russia and China, end-to-end encryption is not a concept. However, in nations like the United Kingdom and the United States, where these platforms are legal, there is an ongoing struggle between the protection of individual privacy and the interests of national security. During the early 2000s, the United States government put forth a proposal to implement clipper chips and key escrow. These measures would employ the Skipjack algorithm to create a cryptographic standard that, if compromised, would grant law enforcement agencies unauthorised access to encrypted communications between individuals. However, in the absence of stringent supervision mechanisms, concerns regarding the potential misuse of data and abuse of power by third parties precluded the implementation of this government concept.
Similar dilemmas regarding the balance between privacy and national security emerged in the case of Apple v. FBI also known as the San Bernardino case. In the aftermath of the 2011 attacks, the Federal Bureau of Investigation requested Apple to permit message interception in the San Bernardino case, citing concerns for state security. The current situation prompted an examination of the trade-off between national security and individual privacy. In response, Apple declined the order and released an open letter in which it warned of the destabilizing consequences that could result from decryption, including severe infringements on free speech and privacy rights. Apple's declination of the order necessitated the government's engagement of third-party hackers, ultimately resulting in the acquisition of the data. Apple's unwavering position conclusively demonstrates that individuals' privacy cannot be assumed and that additional safeguards must be implemented to protect their rights.
This is not unique to the United States; in recent times, countries such as Australia and the United Kingdom have also enacted legislation permitting access to encrypted data when required. By way of illustration, consider the United Kingdom, where the Online Safety Act was enacted to facilitate communication interception via a notice issued by the communication regulator Ofcom, should it deem it proportionate and necessary. This resulted in a significant public outcry, as messaging platforms that offer end-to-end encryption would be required to employ "accredited technology" to detect content associated with terrorism, child pornography, and other such material. Such a requirement would compromise the security measures provided to users and infringe upon their privacy. Since no accredited technology presently exists, the issue does not conclude here; the act cannot achieve its intended purpose. As a result, the global question of how data can be accessed in accordance with the correct procedure remains obscure, and any attempt to do so without a suitable plan for implementation will be in vain. Another legislation in the United Kingdom that is analogous to the surveillance provisions is the Investigatory Powers Act. This law permits the government to access user data when necessary; however, for the sake of national security, judicial permission is necessary under this regime. This creates a two-tiered process, which guarantees that the interception procedure is conducted fairly.
The preceding examples from the United States and the United Kingdom illustrate that authority does not reside with a single entity and that the judiciary plays a vital role in the retrieval of data. This underscores the notion that governing bodies do not possess complete authority and that continuous supervision by other governing bodies is implemented to safeguard individual liberties.
Conclusion: Mapping the Way Ahead
Amid the enormous global expansion of electronic communications, numerous vital national interests, including the privacy of its citizens, must be protected. In the Zakharov v. Russia case, the European Court of Human Rights determined that the safeguards provided by domestic legislation were inadequate to prevent the potential for legal abuse. In its ruling, the court determined that the government had contravened the law and underscored the imperative for more stringent oversight to avert infringements on privacy that correspond with advancements in technology and surveillance methods.
While centralizing power may entail certain risks, the government's decision to implement the new encryption standards and telecom regulations was justified. This is because safeguarding national security and individual privacy are of equal importance and must not be disregarded. According to a study published by the Ministry of Electronics and Information Technology, the incidence of data intrusions and disclosures within the government is exceptionally high. Moreover, India has received the 5th rank with regard to incidents of data breaches and disclosures. Consequently, a secondary governing body comprised of a limited number of private individuals can oversee the complete procedure, exert influence over the issuance of intercepting orders, and deny such orders if they are deemed irrational or unjust. Moreover, in the case of Arizona v. Gant, the United States courts emphasised that actions taken without judicial authority sanction are unreasonable. Consequently, legislators may draw guidance from the implementation of similar legislation in other countries and may also add a judicial review mechanism during the order's approval process. This is because initiating legal proceedings subsequent to the order's enactment can be a protracted process that hinders the administration of justice. A constant oversight body, the third-party tribunal can ensure that the government's granted powers are not being abused. Consequently, by amending specific provisions of the act to incorporate a judicial intervention layer and an autonomous third-party tribunal, additional procedural safeguards will be established, ensuring the preservation of individuals' fundamental rights.
Wonderful read!